name: Build, Secure, and Push Docker Image on Release

on:
  release:
    types: [published, prereleased]

permissions:
  id-token: write
  contents: read
  packages: write

jobs:
  build-and-push:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

      - name: Log in to DockerHub
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}

      - name: Determine Tag Type
        id: tag_type
        run: |
          if [[ "${{ github.event.release.prerelease }}" == "true" ]]; then
            echo "tag=dev" >> $GITHUB_ENV
          else
            echo "tag=latest" >> $GITHUB_ENV
          fi          

      - name: Build, push, and generate SBOM and provenance
        run: |
          docker buildx build \
            --provenance=true \
            --sbom=true \
            --push \
            -t docker.io/singatias/osq-website:${{ github.event.release.tag_name }} \
            -t docker.io/singatias/osq-website:${{ env.tag }} \
            .